From b8e66572cc41ea3ac001dc07e038ee549f8ea3b3 Mon Sep 17 00:00:00 2001
From: Welly Hsu <wellyhsu@google.com>
Date: Mon, 6 Feb 2023 15:20:13 +0800
Subject: [PATCH] Update ofl_app selinux policy

bug: 264489564

test: Use ofl_app (OFLBasicAgent app) will not face avc error
Change-Id: I55061f6b067e054ec605cd6a196406e48c1271e6
---
 tracking_denials/ofl_app.te |  4 ----
 vendor/ofl_app.te           | 14 ++++++++++++++
 vendor/seapp_contexts       |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)
 delete mode 100644 tracking_denials/ofl_app.te

diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te
deleted file mode 100644
index 31a420f0..00000000
--- a/tracking_denials/ofl_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/264489564
-userdebug_or_eng(`
-  permissive ofl_app;
-')
\ No newline at end of file
diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te
index eecef5f9..69e166af 100644
--- a/vendor/ofl_app.te
+++ b/vendor/ofl_app.te
@@ -1,3 +1,17 @@
 # OFLBasicAgent app
+
 type ofl_app, domain;
 
+userdebug_or_eng(`
+  app_domain(ofl_app)
+  net_domain(ofl_app)
+
+  allow ofl_app app_api_service:service_manager find;
+  allow ofl_app nfc_service:service_manager find;
+  allow ofl_app radio_service:service_manager find;
+  allow ofl_app surfaceflinger_service:service_manager find;
+
+  # Access to directly update firmware on st54spi_device
+  typeattribute st54spi_device mlstrustedobject;
+  allow ofl_app st54spi_device:chr_file rw_file_perms;
+')
\ No newline at end of file
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 9c4ad5ff..0eb2229c 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -5,7 +5,7 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom
 user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
 
 # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
-user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user
 
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all